More Than a Tech Refresh: BOD 26-02 is About Proactive Risk Management
Posted by: Timothy Amerson
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive 26-02 (BOD 26-02) draws a clear line in the sand: End-of-support (EOS) edge devices are no longer an acceptable risk. Why? Because they sit at the network boundary, are actively targeted, and frequently undermine zero trust assumptions the moment they are compromised. By following the prescriptive guidance in BOD 26-02, federal agencies can work toward a proactive risk management strategy that keeps organizations safe without overblowing budgets or compromising critical missions.
You may remember, in January 2022, the U.S. federal government mandated a shift to zero trust architecture — a “Never Trust Always Verify” security model — to modernize cybersecurity. They set major compliance targets for 2024-2025 (Federal Civilian Executive Branch, or FCEB agencies) and 2027+ (Department of War, or DoW). Like BOD 26-02, the intention was to help federal agencies better defend against advanced threats. In this case, by ensuring robust identity management, device tracking, network segmentation, and strict data categorization.
But here’s the reality:
Zero trust does not mean breaches won’t happen.
It means they are less likely to take the mission down with them.
Why Blast Radius Is the Real Risk
In legacy architectures, edge devices are often over-privileged, under-segmented, and implicitly trusted. In other words, the blast radius with legacy architectures can be vast. The number of outdated systems, data, and users further broadens the blast radius. When attackers exploit one device, everything downstream is ripe for exposure, meaning more devices would be affected by a single compromised account or vulnerability.
Zero trust changes the question from:
“Can this device be breached?”
to
“What happens when it is?”
Microsegmentation: The Start of Proactive Risk Management
Microsegmentation divides your network into small, secure zones. By isolating edge devices, restricting east-west movement, and enforcing policy-based access, federal agencies can dramatically reduce the potential blast radius. Microsegmentation is designed for active exploitation. By applying identity-based policies at a granular level, you proactively reduce the risk of a single breach from becoming a network-wide infiltration.
Identity Becomes the Control Plane, Even for Edge Infrastructure
Many edge environments still rely on static admin credentials, shared accounts, and long-lived trust relationships. In contrast, zero trust treats identity as dynamic, not static. The core tenet of zero trust is never trust always verify. Decisions are no longer based on a one-time, static login. Instead, every access request is contextualized based on risk profiles, elevating security when risk is high, and reducing friction when access is predictable and expected.
Legacy edge environments are often not zero trust compliant, or even compatible. This becomes an issue because BOD 26-02 mandates removal of devices that cannot:
- Be continuously validated
- Receive security updates
- Prove a trustworthy posture
In other words, if a device cannot continuously prove its identity and state, it should not be trusted, regardless of location.
Incremental Refresh Is the Winning Strategy for Proactive Risk Management
The agencies that struggle most with BOD 26-02 are those that are waiting for a massive refresh cycle. In my previous blog, ‘BOD 26-02 Isn’t a Firewall Problem,’ I talked about building a staggered refresh strategy to maintain updates within budget and resource constraints.
The agencies who will succeed will:
- Refresh in small, predictable increments
- Standardize edge platforms
- Align procurement with lifecycle governance
This approach reduces outages, spreads cost over time to minimize budget impact, and prevents EOS tech debt from re-accumulating.
Zero Trust Maturity Is the Real Goal
Buying zero trust tools does not make an agency zero trust compliant. That maturity comes from continuous discovery, continuous validation, automated containment, and measurable reduction in blast radius.
BOD 26-02 gives agencies the forcing function they’ve needed to make zero trust real at the edge.
Final Thoughts
BOD 26-02 is not a compliance problem, it’s a resilience opportunity. It makes agencies treat edge devices as part of a proactive risk management rather than a periodic upgrade cycle. Microsegmentation is what makes the shift real. By limiting blast radius, enforcing least privilege at the network layer, and reducing dependency on aging devices that lack enforceable updates, agencies can mature zero trust in a practical, measurable way. Those that use BOD 26-02 as a catalyst will operate more securely, recover faster, and reduce mission risk.
Ready to get started toward proactive risk management, incremental updates, and zero trust maturity? GuidePoint Security meets you where you are and provides tailored solutions to help you solve your most complex security challenges with service and solution offerings to fit your specific needs.
Timothy Amerson
Federal Chief Information Security Officer (CISO),
GuidePoint Security
Timothy Amerson is currently the Federal Chief Information Security Officer (CISO) at GuidePoint Security. While also serving as the the President of the Board of Directors for The KEY (Keep Elevating Yourself) Community Non-Profit. He brings more than 30+ years of distinguished service in federal cybersecurity leadership. Most recently, he served as the CISO and Associate Commissioner at the Social Security Administration (SSA), where he was recognized as a 2023, 2024 and 2025 Top 100 Information Security Professional; 2024 FedScoop Top 50 Federal Leader Nominee; 2025 CyberScoop Government Leaders, FedScoop Top 50 Federal Leader Nominee, and Finalist US Forces in Business Lifetime Achievement Award.
At SSA, Mr. Amerson was responsible for enterprise-wide cybersecurity operations including Cybersecurity Risk Management (CSRM), Zero Trust Architecture (ZTA), FISMA compliance metrics, 24x7 Security Operations Center (SOC), Continuous Diagnostics and Mitigation (CDM), Red and Blue Team operations, Vulnerability Management, Insider Threat programs, Cyber Supply Chain Risk Management (C-SCRM), and secure software practices. Under his leadership, SSA’s FISMA scores increased from 70% to 98%, elevating the agency to one of the top performers across all Federal Civilian agencies.
Prior to SSA, Mr. Amerson held multiple senior leadership roles at the Department of Veterans Affairs (VA), including Director of Infrastructure Cybersecurity Management, Cybersecurity Product Line Manager, and (Detailed) Director of the National Data Center Operations and Logistics program. He was named a 2021 FedScoop “Best Bosses in Federal IT” finalist for his transformational leadership. He began his Federal Civilian IT career on the help desk at the Texas National Guard Joint Force Headquarters and rose through the ranks to become Chief Technology Officer.
Mr. Amerson is a decorated Army veteran with 32 years of service, including combat and state-side deployments, and has served as Platoon Leader, Commander, and Operations Officer. Also served as Deputy of the Computer Emergency Response Team, Deputy of the Defense Cyberspace Operations Element, and established the first multi-state Cyber Protection Team (CPT). He participated in and led Red and Blue Team activities during major national cyber exercises, including Cyber Storm (DHS), Cyber Shield (USCYBERCOM), and Cyber Guard (NGB), in partnership with the NSA, FBI, FEMA, and ODNI. He has received numerous commendations, including the Legion of Merit, Bronze Star Medal, four Meritorious Service Medals, and recognition from several professional associations, including the Silver Order of Thor (Cyber), the Silver Order of Mercury (Signal), and the Bronze Order of Saint George (Cavalry).
He holds a Master of Science in Computer Science a Specialization in Cybersecurity (Summa Cum Laude) and a Bachelor of Science in Computer Information Systems, is a graduate of the Army Cyber Center of Excellence and the Command & General Staff College, and maintains over 30 certifications, including Certified Information System Security Professional (CISSP), Project Management Professional (PMP), Certified Ethical Hacker (CEH and Hall of Fame), Certified Chief Information Security Officer (aC|CISO), Certified Competency in Zero Trust (CCZT), International Society of Automation (ISA)/International Electrotechnical Commission (IEC) 62443 Cybersecurity Expert, and Microsoft Certified Educator (MCE).
In his personal time, Mr. Amerson is passionate about cybersecurity, education, and outreach. He served as a conference coordinator for the Texas Cyber Summit and DEF CON, and mentored students on cybersecurity teams at both the high school and collegiate levels, resulting in numerous national awards, grants, and scholarships.